QPP 3 and 6 - authorised by law or court order

Overview

Queensland government agencies¹ must handle personal information in accordance with the Queensland Privacy Principles (QPP) in the Information Privacy Act 2009 (Qld) (IP Act).

This guideline is based on and includes material from the Australian Privacy Principle guidelines developed by the Office of the Australian Information Commissioner.

What is personal information?

Section 12 of the IP Act provides that personal information means information or an opinion about an identified individual or an individual who is reasonably identifiable from the information or opinion, whether the information or opinion is true or recorded in a material form.

The individual does not need to be directly identified in the information for it to be personal information. It is sufficient if they can reasonably be identified by reference to other information.

‘Sensitive information’ is a category of personal information defined in schedule 5 of the IP Act, and includes information about an individual’s racial or ethnic origin, political opinions, religious beliefs, sexual orientation and criminal record. It also includes health, genetic and some biometric information.

Refer to Key privacy concepts – sensitive and personal information for more information.

Collection of personal and sensitive information

An agency must collect personal information only from the individual it is about and can only collect sensitive information with consent unless one of the exceptions in QPP 3.6 or 3.4 apply.

Refer to QPP 3 – collection of personal information for more information.

Use or disclosure

An agency can use or disclose personal information for the reason it was collected (the primary purpose). An agency can only use or disclose personal information for a secondary purpose as set out in QPP 6.

Use and disclosure are both defined in the IP Act.² Refer to Key privacy concepts – use and disclosure for more information.

Required or authorised by law or court order

If an agency is required or authorised under an Australian law or a court or tribunal order, an agency may:

• use or disclose personal information for a secondary purpose, under QPP 6.2(b)
• collect sensitive information without consent, under QPP 3.4(a); and
• collect personal information from someone other than the individual, under QPP 3.6(a)(ii).

Required or authorised by Australian law

‘Australian law’ means a law of the Commonwealth or a State and includes the common law.³ This includes the requirement to provide people with natural justice.⁴ For more information refer to the QPP 6 - use or disclosure for natural justice guideline.

Required or authorised

Use, disclosure, or collection of the information will be required under a law where:

• the law in question specifically requires collection of the information, or requires the agency holding the information to use it or disclose it for the secondary purpose – ie, where the agency cannot choose to act differently; and
• the law gives a third party the power to compel the production of information from the agency and the agency complies.

Use, disclosure, or collection of personal information will be authorised under a law where the collection, use or disclosure is permitted but not required. The law must clearly and expressly give the holding agency the discretion to collect, use or disclose the personal information for that purpose.

It is not sufficient that the agency can show that the use, disclosure, or collection is within the agency’s lawful functions. It must be able to point to a specific law that permits the use or disclosure.

A general or incidental power granting an agency the power to ‘do anything necessary’ or ‘do anything else in connection with’ will not be sufficient to authorise the use, disclosure, or collection. The power or law must use clear and direct language.⁵

Use, disclosure, or collection is not authorised by law simply because there is no law prohibiting it.

Required or authorised by or under a court order

An order of a court or tribunal includes an order, direction, or other instrument (order) made by any Commonwealth, State or Territory court or tribunal, including a coroner or justice.⁶

Use, disclosure, or collection will be required by the order if the agency has no option not to use, disclose or collect the information as set out in the order, e.g., a subpoena that requires the agency to provide information or produce records or documents.

Use, disclosure, or collection will be authorised under the order if:

• the order gives the agency permission to, but does not require it to, collect, use, or disclose personal information; or
• the agency has the option to not comply with the order.

Impliedly authorised or required

Generally, the use, disclosure or collection of information must be explicitly required or authorised by or under a law or order. However, there are some circumstances where the requirement or authorisation may be implied.

If it is not possible to take an action required or authorised by the law or comply with an order of a court or tribunal, without collecting, using or disclosing the information, the collection, use or disclosure will be impliedly required or authorised. For example, an Act that authorises an agency to collect personal information about an individual from a third party impliedly authorises the agency to disclose the individual’s identity to the third party.